Default firewall mikrotik11/20/2023 Some older releases have had certain weaknesses or vulnerabilities, that have been fixed. PD: ether1-gateway is WAN port, dst-port are the ports that you would like leave opened.Start by upgrading your RouterOS version. ip firewall filter add action=drop chain=input in-interface=ether1-gateway How to secure open/redirect ports /ip firewall filter add chain=input dst-port=22,80,443 in-interface=ether1-gateway protocol=tcp I recommend you to remove #2įor making a secure Router isn't a best practice to change ports, creating a false sense of security. You are dropping all in traffic from ether1-gateway. Or you can make an exception for your ssh+www ports However, if I'm on diferent LAN, can't connect.īTW, I set my IP > Services > ports for webfig is 64291 and SSH is 23.Ĭhain=input action=accept connection-state=established,related,new in-interface=bridge-local log=no log-prefix=""Ĭhain=input action=accept protocol=icmp log=no log-prefix=""Ĭhain=input action=drop log=no log-prefix=""Ĭhain=input action=drop in-interface=ether1-gateway log=no log-prefix=""Ĭhain=forward action=accept connection-state=established,related,new in-interface=bridge-local log=no log-prefix=""Ĭhain=forward action=drop connection-state=invalid log=no log-prefix=""Ĭhain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix=""Ĭhain=srcnat action=masquerade to-addresses=X.X.X.X out-interface=ether1-gateway log=no log-prefix=""ġ chain=dstnat action=dst-nat to-addresses=192.168.88.200 protocol=tcp dst-address=X.X.X.X dst-port=80 log=no log-prefix=""Ģ chain=srcnat action=src-nat to-addresses=X.X.X.X protocol=tcp src-address=192.168.88.0/24 log=no log-prefix=""ģ chain=dstnat action=dst-nat to-addresses=192.168.88.200 to-ports=22 protocol=tcp dst-address=X.X.X.X dst-port=22 log=no log-prefix=""Ĥ chain=srcnat action=src-nat to-addresses=192.168.88.200 to-ports=22 protocol=tcp src-address=192.168.88.0/24 log=no log-prefix=""ĥ chain=dstnat action=dst-nat to-addresses=192.168.88.1 protocol=tcp dst-address=X.X.X.X dst-port=23 log=no log-prefix=""ĭisable rule #2 + #3 and test again. It allows me to webfig and SSH both either by using 10.0.0.1 or using 192.168.88.1. I can do it if I am physically connected to the router (on the same lan). I can't webfig into 10.0.01 from external and can't SSH into mikrotik router from external IP. Let's say that my public facing IP is 10.0.01.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |